Grafana And Athena

Grafana Athena datasources for env-dataops accounts use the standard same-account prod-grafana-read-only role pattern.

Required Pieces

Grafana source role can assume the target account’s prod-grafana-read-only role.
The target account has an Athena query-results bucket named data-platform-athena-query-results-<account-id>-us-east-1.
prod-grafana-read-only can write and read Athena query results in that bucket.
Lake Formation grants allow the role to read data_platform_usage tables that dashboards query.
Dashboard JSON must reference env-dataops datasource UIDs, not legacy athena-test-dataops.

Dashboard Guardrail

Do not copy panels from legacy test-dataops dashboards without checking the datasource UID. A panel that still points at athena-test-dataops can silently show legacy data.

Checked Against

implementations/2026-05-26-dl-474-env-dataops-grafana-dashboard-progress.md.
implementations/2026-05-28-dl-474-iceberg-table-health-all-envs-progress.md.
terraform/accounts/modules/grafana-athena-reader on origin/main.
terraform/kyuubi/grafana on origin/main.